The document presents a presentation on digital forensics research, outlining objectives and key observations regarding the field's evolution, challenges, and research directions for the next decade. It emphasizes the need for improved methodologies to address technological advancements, legal constraints, and the complexity of digital evidence gathering. It highlights critical issues such as the impact of encryption, cloud computing, and the lack of standard tools, particularly for mobile devices, which impede effective forensic analysis.

1. Welcome to “Kernel”
Presentation on
Digital forensics research: The next 10 years
MISS-2016A (Master of Information systems Security)
Bangladesh University of Professionals

2. Team Members
Mehedi Hasan Sorfaraz Uddin Al ImranRezaul Islam
Team Leader.
Rajiv Kumar

3. Contents
Objective►
• Objectives
• Key Observations
• Potential Constraints
• Research Directions
• Challenges
• Questions and Comments

4. 1.0 Objectives
Key Observations►
 Proposes a plan for achieving a dramatic improvement
in Digital Forensic(DF) research.
 Achieving operational efficiency for representing
forensic data and performing forensic computation
 Describing the today's challenges in DF field
 Proposes a new DF research methodology

5. 2.1 Key Observations
 Forensic & Digital forensic:
 Forensics is the application of science to solve a legal problem
 Digital forensics is about the investigation of crime including using
digital/computer methods
In a word, It is recovery
Science
 Major Classification of Digital forensic:
 Computer forensics
 Network forensics
 Database forensics
 Chip-off forensics
 Previous Forensic History:
 Diversity, in the bad way
 Bad documentation for lots of file types
 Centralized computing facilities, and time-sharing
 No formal tools, training, education
Source: MISS1103: Digital Forensics @ Prof. Syed Akhter Hossain (SAH), 2016, Page no 5,6

6. Source: Garfinkel, SimsonL., „Digital Forensics Research: The Next 10 years“, 2010
Lifecycle of Digital Forensics
Early years (1970s-
1990s)
• Hardware, software,
and application
diversity
• A proliferation of data
file formats
• Heavy reliance on
time-sharing and
centralized computing
ffacilities
• Absence of formal
process, tools, and
training
„Golden years“
(1990s-2000s)
• The widespread use
of Microsoft Windows,
and specifically
Windows XP
• Relatively few file
formats of forensic
interest
• Examinations largely
confined to a single
computer system
belonging to the
subject of the
investigation
• Storage devices
equipped with
standard interfaces
(IDE/ ATA)
Era of crisis
(2010s-...)
• Growing size of
storage devices
• Increasing prevalence
of embedded flash
storage
• Proliferation of
hardware interfaces
• Proliferation of
operating systems
and file formats
• Pervasive encryption
• Use of the “cloud” for
remote processing
and storage, splitting
a single data structure
into elements
2.2 Key Observations

7. 2.3 Key Observations
2014 Overall Statistics & Current Record
Source: www.fbi.gov

8. 2.4 Key Observations
• Academic ravel
– Cyber-criminals are becoming the muster’s of international
Cooperation
• Fundamental Problem
– Today's tools ware creating for solving child pornography cases, not
computer hacking case.
• Difficulty of reverse engineering
– Software tool is being sold without restrictions, there is no standard
set of tools. Random file format.
• Cyber Criminals weapon
– Mobile phones are becoming a primary tool of cyber criminal &
terrorist. There are no standard way to extract information from cell
phones.
Major Barrier according to Researcher
Source: Garfinkel, SimsonL., „Digital Forensics Research: The Next 10 years“, 2010

9. 2.5 Key Observations
• Better Technology
– Ability to handle volume
– Ability to handle complexity
• Better Research
– Formal Methods of Analysis
– Intelligent Data Mining
– Structured Processes
• Better Communication
– Computer Scientists
– Legal Experts
Obligation of future
Potential Constraints ►

10. 3.1. Potential Constraints
 Slower analysis
 The growing size of storage devices means that there is frequently
insufficient time to create a forensic image of a subject device, or to
process all of the data once it is found.
 Great diversity:
 The increasing prevalence of embedded flash storage and the
proliferation of hardware interfaces means that storage devices can no longer
be readily removed or imaged.
 Multiple analyses:
 The proliferation of operating systems and file formats is dramatically
increasing the requirements and complexity of data exploitation tools and
the cost of tool development.
 Whereas cases were previously limited to the analysis of a single device,
increasingly cases require the analysis of multiple devices followed by
the correlation of the found evidence.

11. 3.2. Potential Constraints
 Encryption:
 Pervasive encryption means that even when data can be recovered, it
frequently cannot be processed.
 Cloud computing:
 Use of the “cloud” for remote processing and storage, and to split a single
data structure into elements, means that frequently data or code cannot even
be found.
 Hidden malware:
 Malware that is not written to persistent storage necessitates the need for
expensive RAM forensics.
 Legal trouble:
 Legal challenges increasingly limit the scope of forensic investigations.
Research Directions ►

12.  to develop new digital forensic methodology by
 creating wide range of abstractions-standardized of thinking, representing and
computing with information
 creating alternative analysis model
a) Stream based disk forensics
b) Stochastic analysis
c) Prioritized analysis
d) Scale and validation
 to help coming digital forensic crisis by creating new
techniques, tools and procedures
4.1. Research Directions

13. Challenges►
5.1 Upcoming Crisis/Challenges
 Today’s examiners frequently cannot obtain data in a
forensically sound manner or process data to completion.
Evidence may be routinely missed.
 Most common are cell phone data and other mobile computing platform. There are 1000 of cell
phone models around us.
 There is no standard way to extract information from cell phone. But it’s a primary tool for
criminal or terrorist.
 Similar problem exist with diversity and data extraction exist with telecommunication
equipment, video game consoles even eBook readers.
 Inability to extract information from devices in a clean and repeatable manner means that we
are unable to analyze this devices for malware/ Trojan attack.
 Encryption and cloud computing both threaten forensic visibility.
 RAM based forensic can capture current state of a machine but RAM DF tools are more difficult
to create.
 DF tools face extraordinarily high research and development cost. Otherwise its rapidly become
obsolete.
 DF professionals often rely on open source tools, but there is no recognized or funded clearing
house for open source forensic software.
 Training is a serious problem facing organization that deliver forensic services
 A variety of legal challenges are combining to make very process of computer forensics more
complicated, time consuming, and expensive.

14. ►
5.2 Research Challenges
Evidence oriented design
 Today’s tools were designed to help examiners find specific piece of evidence, not to assist in investigation
 Today’s tools were created for solving crimes committed against people where evidence resides in computer;
they were not created to assist in solving typical crimes committed with computers or against computers.
The visibility, filter & report , model
 This model does not readily lend itself to parallel processing. As a result, ingest delays are increasing
with each passing year.
The difficulty of reverse engineering:
 There is no standard set of tools or procedures for a systematic approach to reverse engineering
Monolithic application:
Binding all capabilities (data format, cryptographic scheme) into a single application, its not possible for
end users to mix and match this capabilities.
Lost Academic research
 Academic researchers can distribute open source tools that can be directly used, but most end users
lack the skills to download and use the tools.
 AR can license technology to a vendor, which then sells technology directly or incorporate it into an
existing tool.
 Vendor can read and learn from academic papers, but they are relatively uninformed regarding current
state of academic forensic research.

15. ►
6. Advancement
in the paper titled "Fast contraband
detection in large capacity disk drives"
proposes Triage solution for achieving the
efficiency of DF tools use for forensic
analysis

16. THANK YOU